Week in security with Tony Anscombe

ESET research into a campaign of the Winnti Group – The FBI warns of a job scam – What IoT legislation means for device makers and users

ESET researchers publish their findings about how the Winnti Group deployed ShadowPad and Winnti malware to target universities in Hong Kong. Meanwhile, the FBI has warned of a scam where fraudsters spoof company websites and post bogus job ads in order to dupe job seekers into handing over their personal data and paying fraudulent fees. The UK government is proposing legislation to secure IoT devices, and other countries may follow suit – what do such laws mean for IoT device makers and users? All this – and more – on WeLiveSecurity.com.

Don’t get sacked! Scams to look out for this Super Bowl

As the teams prepare to battle it out on the gridiron, fraudsters are waiting to intercept your funds

One of the most-anticipated sporting events of the year is almost here. Like any popular event, the Super Bowl can be a fertile breeding ground for various malicious actors looking to scam you out of your hard-earned money or your personal data. A wide variety of scams targets both spectators who are watching from the comfort of their living rooms and those cheering for their teams in the stadium. Here are some ways you can tackle security offenses that may be targeted against you.

Streaming from unverified sites

As a fan, sometimes you cannot attend the match of your favorite team, yet you want to cheer them on from the other side of a screen while they battle for that coveted trophy. To do that, you may resort to looking for a live stream of the match. A free live streaming website might seem like the most convenient choice, but these services function as a trap for unwitting fans.

These websites don’t just host live streams; they expose you to myriad risks such as malware downloads, personal data theft or even financial scams. One of the most dominant features is an onslaught of ads, which are not just exceedingly annoying but, in some instances, malicious as well. If you click on one of these ads it can redirect you to malicious website hellbent on stealing your data. Some ads will try to convince you that your device is already infected by malware and the only way to get rid of it is by downloading its tool.

Alternatively, there will be multiple play buttons floating over the web player and only one is the real deal, while the rest will redirect you to a malicious website. The Super Bowl isn’t the only event targeted. Every major sports event is an attractive playground for hackers waiting for eager sports fans to drop the ball.

Tickets from unofficial sources

Usually by this time most tickets and ticket packages have already been sold out. Yet some fans who forgot to buy tickets, or have a spur-of-the-moment decision they want to go are still on the hunt for the last few that haven’t been claimed. This is an opportunity for scammers to offer “bargain tickets” to the latecomers. No wonder, since fake Super Bowl tickets and merchandise are a US$24 million business, according to MarketWatch. As a rule of thumb, you should always stick to official channels through which tickets are sold, such as the official NFL website or any other official resellers or affiliates that comply with the NFL’s rules or are explicitly named on their website.

Related reading: Hackers blitz social media accounts of 15 NFL teams

Another channel through which scammers may target you is informing you that you’ve won tickets in a raffle or lottery, much the same way they do during similar events like the FIFA World Cup. This usually takes the form of a sloppily written email, asking you to share your personal information or pay a processing fee. Alternatively, they may include an attachment or link that leads to downloading malicious code to your machine. The NFL does run an official lottery but, according to its website, it accepts submissions only between “February 1 and June 1 of the year preceding the Super Bowl.”

Apps and hotspots

To ease your Super Bowl experience, you may download apps to help you prepare for game day. Before the Big Game, there will probably be apps appearing left and right, trying to entice you to download them to your smartphone. As always, you should be wary of what you download and install onto your device. Scammers often target you with emails containing links to themed apps, but by clicking on the link, you may be exposing yourself to downloading malware to your device. You should always stick to the official stores, be it Google Play or the App Store.

If you’re one of the lucky few who made it to Hard Rock Stadium, we have a piece of advice for you as well. In an attempt not to use up your precious data plan, you’ll want to use free Wi-Fi hotspots that will probably be available in abundance at the stadium. We recommend you avoid them, since spoofing a hotspot is quite easy. If you connect to one created by a bad actor, you can open yourself up to a plethora of breaches. If it is absolutely necessary to use one, at least use a VPN and avoid any activities that include sensitive data, such as accessing your bank account.

Hopefully, these tips have given you at least a general idea of the trick plays bad actors use to get past your defensive line. Now you can safely brandish your colors and hope your team takes that Lombardi trophy home!

31 Jan 2020 – 02:00PM

Winnti Group targeting universities in Hong Kong

ESET researchers uncover a new campaign of the Winnti Group targeting universities and using ShadowPad and Winnti malware

In November 2019, we discovered a new campaign run by the Winnti Group against two Hong Kong universities. We found a new variant of the ShadowPad backdoor, the group’s flagship backdoor, deployed using a new launcher and embedding numerous modules. The Winnti malware was also found at these universities a few weeks prior to ShadowPad.

The Winnti Group, active since at least 2012, is responsible for for high-profile supply-chain attacks against the video game and software industries leading to the distribution of trojanized software (such as CCleaner, ASUS LiveUpdate and multiple video games) that is then used to compromise more victims. It is also known for having compromised various targets in the healthcare and education sectors.

ESET researchers recently published a white paper updating our understanding of the arsenal of the Winnti Group, following a blog post documenting a supply-chain attack targeting the videogame industry in Asia. Additionally, we published a blog post on a new backdoor named skip-2.0 that targets Microsoft SQL Server.

This article focuses on the technical details of this new ShadowPad variant.

About the “Winnti Group” naming:

We have chosen to keep the name “Winnti Group” since it’s the name first used to identify it, in 2013, by Kaspersky. Since Winnti is also a malware family, we always write “Winnti Group” when we refer to the malefactors behind the attacks. Since 2013, it has been demonstrated that Winnti is only one of the many malware families used by the Winnti Group.

ShadowPad found at several Hong Kong universities

In November 2019, ESET’s machine-learning engine, Augur, detected a malicious and unique sample present on multiple computers belonging to two Hong Kong universities where the Winnti malware had already been found at the end of October. The suspicious sample detected by Augur is actually a new 32-bit ShadowPad launcher. Samples from both ShadowPad and Winnti found at these universities contain campaign identifiers and C&C URLs with the names of the universities, which indicates a targeted attack.

In addition to the two compromised universities, thanks to the C&C URL format used by the attackers we have reasons to think that at least three additional Hong Kong universities may have been compromised using these same ShadowPad and Winnti variants.

This campaign of the Winnti Group against Hong Kong universities was taking place in the context of Hong Kong facing civic protests that started in June 2019 triggered by an extradition bill. Even though the bill was withdrawn in October 2019, protests continued, demanding full democracy and investigation of the Hong Kong police. These protests gathered hundreds of thousands of people in the streets with large support from students of Hong Kong universities, leading to multiple university campus occupations by the protesters.

We have contacted the compromised universities and provided the necessary information and assistance to remediate the compromise.

Updated launcher

Unlike previous ShadowPad variants documented in our white paper on the arsenal of the Winnti Group, this launcher is not obfuscated using VMProtect. Furthermore, the encrypted payload is neither embedded in the overlay nor located in a COM1:NULL.dat alternate data stream. And the usual RC5 encryption with a key derived from the volume ID of the system drive of the victim machine (as seen in the PortReuse backdoor, skip-2.0 and some ShadowPad variants) is not present either. In this case, the launcher is much simpler.

DLL side-loading

The launcher is a 32-bit DLL named hpqhvsei.dll, which is the name of a legitimate DLL loaded by hpqhvind.exe. This executable is from HP and is usually installed with their printing and scanning software called “HP Digital Imaging”. In this case the legitimate hpqhvind.exe was dropped by the attackers, along with their malicious hpqhvsei.dll, in C:WindowsTemp.

Although we do not have the component that dropped and executed this launcher, the presence of these files leads us to think that the initial execution of this launcher is done through DLL side-loading.

When the malicious DLL is loaded at hpqhvind.exe startup, its DLLMain function is called that will check its parent process for the following sequence of bytes at offset 0x10BA:

85 C0 ; test eax, eax
0F 84 ; jz

In the case where the parent process is hpqhvind.exe, this sequence of bytes is present at this exact location and the malicious DLL will proceed to patch the parent process in memory. It replaces the original instructions at 0x10BA with an unconditional jump (jmp – 0xE9) to the address of the function from hpqhvsei.dll that decrypts and executes the encrypted payload embedded in the launcher.

The decompiled function responsible for patching the parent process is shown in Figure 1. In case hpqhvsei.dll is loaded by a different process than hpqhvind.exe, the malicious code will not be decrypted and executed.

Figure 1. Decompiled function responsible for patching the parent process

The difference between the original and patched hpqhvind.exe is shown in Figure 2.

Figure 2. Difference between original (left) and patched (right) hpqhvind.exe

The part of the code that is patched is located at the very beginning of the main function of hpqhvind.exe. As we can see in Figure 2, the patched code is located right after the load of hpqhvsei.dll. This means that the function responsible for decrypting and executing the payload is executed directly after the load of the malicious DLL.

Payload decryption

The encrypted payload is located in the .rdata section of hpqhvsei.dll and the decryption algorithm is an XOR loop where the XOR key is updated at each iteration, as shown in Figure 3.

Figure 3. Pseudocode of the payload decryption loop

The decrypted payload is the usual shellcode responsible for ShadowPad initialization (obfuscated using fake conditional jumps to hinder disassembly).

Persistence

After having been decrypted, ShadowPad’s shellcode is executed. It will first achieve persistence on the system by writing the in-memory patched parent process to disk to a path specified in the configuration string

IoT laws are coming: What to expect

No more default logins on new IoT devices if UK legislators get their way

I just returned from CES, where virtually every aisle was chock-full of IoT devices. But how secure are they? While we’ve been promoting security on these devices for some time now, IoT developers have been slow to adopt. Lawmakers in California took some notice in 2018, and now it seems that legislators in the United Kingdom want to take things to the next level, too.

While it’s unclear whether the proposed legislation will be adopted, UK MP’s have this to say:

“Whilst the UK Government has previously encouraged industry to adopt a voluntary approach, it is now clear that decisive action is needed to ensure that strong cyber security is built into these products by design. Citizens’ privacy and safety must not be put at risk because some manufacturers will not take responsibility for ensuring that security is built into their products before they reach UK consumers.”

Whether or not the legislation is enacted, this sends a strong signal to the industry that government intervention seems likely. While other countries may take a wait-and-see approach, it seems likely further laws will be enacted around the globe over time.

The good news is that basic IoT security steps are not overly burdensome. Requiring the new owner to change the default login password when users log in for the first time is something the industry has known about for some time, and is not costly to implement.

Setting a lifespan for firmware updates certainly does cost more since companies would be paying to support firmware that would no longer directly result in revenue. Companies with longer term vision tend to already be thinking along those lines, but forcing them to state when support will end brings it to the fore.

It’s unclear whether customers understand the importance of knowing the support lifespan until it lapses years later and vulnerabilities are then discovered.

The industry counters obtusely by promoting frequent customer upgrades in light of new technological advances to their platforms, but it doesn’t always happen. Everyone knows someone with a 5- or 10-year-old home router, for which support has long since lapsed while the device itself is still actively in use.

And that’s the problem.

We see newly minted attacks against herds of common routers that show no signs of being retired anytime soon. These machines, once zombified, can be used to launch and amplify attacks worldwide, often without the knowledge of their owners.

Related reading: Secure your router: How to help prevent the next internet takedown

One more thing: the UK lawmakers seek to compel companies to maintain a security point-of-contact, something that’s all-but-impossible to find today, especially in smaller companies.

Will this legislation slow innovation? Somewhat, but hopefully the proposed changes would only require moderate efforts from good actors to implement. And whether or not this draft of proposed legislation becomes law, some soon will, so manufacturers would do well to take note.

30 Jan 2020 – 11:30AM

Hackers blitz social media accounts of 15 NFL teams

The league and scores of teams were caught off-guard by the re-emergence of an infamous hacking group

Fifteen National Football League (NFL) teams, including this year’s Super Bowl contenders the San Francisco 49ers and Kansas City Chiefs, have had their social media accounts hacked. To add insult to injury, the NFL’s official account on Twitter was also hijacked, which isn’t the first time this has happened. A hacker collective that calls itself OurMine has claimed responsibility for the incidents.

All the account takeover attacks appear to have taken place over the span of a few hours on Monday. According to the group’s tweets, they were able to hijack the Twitter, Facebook and Instagram accounts of some of the teams. The affected accounts had their profile photos, Twitter header, name and even in some cases, their bio deleted. Many accounts contained some of these now-deleted messages, shared by NFL reporter Dov Kleiman:

The twitter accounts for the @NFL, @Chiefs, @packers and @ChicagoBears got hacked. pic.twitter.com/7Ps2kINm4b

— Dov Kleiman (@NFL_DovKleiman) January 27, 2020

Facebook and Twitter provided The Hill with statements, noting that they were investigating the incidents. Another statement by Twitter for Bloomberg elaborates that the hack originated through a third-party platform, although there are no details as to how exactly the attacks unfolded. Currently, all accounts have been restored and bear no signs of the attack.

The timing of these attacks doesn’t seem random and may be seen as a bid to boost the group’s notoriety, as the week leading up to Super Bowl Sunday is one of the most media-heavy weeks.

Apologies that our account was compromised this morning. We’re back in the game & ready for the Pro Bowl. 🐻⬇️

— Chicago Bears (@ChicagoBears) January 26, 2020

The collective has hit popular social media accounts before. Their long list of victims includes Spanish soccer teams Real Madrid and FC Barcelona, entertainment giants Netflix and Marvel, as well as tech titans, such as Google CEO Sundar Pichai and Twitter co-founder Jack Dorsey.

Account takeover attacks often leverage credential stuffing, an automated method that deploys bots for login attempts. Using stolen or spilled access credentials that belong to one account in order to break into other accounts, the bots will hammer the sites with login attempts until they hit on the right combination.

You can mitigate the chances of having your accounts hacked by using two-factor authentication (2FA) wherever the option is available. Most services offer 2FA as an extra security layer against exactly the types of attacks the NFL and its teams suffered. Twitter, Facebook and Instagram offer several 2FA methods. If you have the sudden urge to double down on your security and enable the option on your accounts, you can refer to our recent article that explains the ins and outs of 2FA.

28 Jan 2020 – 03:06PM

How to take charge of your Google privacy settings

Have you had a Google Privacy Checkup lately? If not, when better than Data Privacy Day to audit the privacy of your Google account?

Users have become increasingly sensitive about how their data is handled, which in turn means that tech companies face increasing scrutiny. Google, for example, has introduced new privacy features in recent years in a bid to increase the transparency of how it handles data and to put control back in the users’ hands.

One simple way to boost your Google account privacy is to use the Privacy Checkup feature. In a number of simple steps, the tool enables you to manage your data on various products and services rub by the company. Let’s dive in now and review some of the key privacy decisions you may want to make when it comes to using Search, YouTube, Maps or other Google-operated services. [Bear in mind that your dashboard may vary depending on the products and services that you use.]

Web and app activity

When this option is turned on, Google saves your browsing activity on both its site and your local apps while you’re signed in. When it comes to the web and the Chrome web browser, it keeps a pretty thorough history of your searches, the sites you’ve visited, and your activities. If you have an Android smartphone, it also records the apps you’ve interacted with, the precise time at which you did and how many times you used them throughout your day.

Google reasons that all of this is necessary for it to deliver a more tailored experience to its users, including faster search results and smarter experiences when using its suite of apps. You can either turn it off altogether, which means Google will not record your Chrome history (it doesn’t mean that your ISP will not know what you browse), your activities, apps and devices and your voice and audio recordings. Moreover, you have the option to either delete it manually or to have it deleted automatically every 3 months or every year and a half.

Location history

This sounds quite self-explanatory, but if you’re still in doubt, Google will create a map of all the locations where you’ve been with devices that you use with their services. Bear in mind that if this option is turned on, your location will be recorded even though you might not be using any Google service at that moment.

This feature should help with map searches or with your commuting routes. You can pause or turn off the recording of your location history at any time, but that doesn’t mean that the data that has been already collected is wiped. You have to do that manually, in the Google Maps Timeline, unless you want to have a memory of all the places you’ve visited.

Alternatively, you can choose which devices report your location and which don’t. This map should be accessible only to you unless you’re hacked or share your password.

Voice and audio recordings

If you use Google Assistant to simplify your life, and this option is turned on, then your voice commands are being recorded and saved. In fact, it saves other audio inputs as well; Google uses these inputs to improve its speech recognition. It is bundled under the Web and App Activity section, so if you want to browse through the different commands and questions, you’ll have to use the search bar and filter the results. As for turning it off, you can do that separately in the Activity controls section.

YouTube history and what you share

When this option is turned on, Google saves a record of all the videos you watch and your search history in this service. While signed in, YouTube remembers where you stopped watching videos and, based on your history, gives recommendations that are not limited to just this service, but other Google services as well.

You can browse through your history, clear it and even pause the recording of your watching habits altogether. If this seems like a watered-down explanation of how YouTube history works, you can check out this explanatory video published by Team YouTube.

A thing we tend to forget about YouTube is that it is not only a site that we use to watch videos, but a social network as well. So, you should also do an audit of what you share and what other users can see about you, ranging from your subscriptions to your playlists. You can also curate your activity feed which means toggling whether every video you like (except the private ones, of course) or playlist you save is posted to your feed.

Ads settings

The Ads settings control doesn’t allow you to turn off advertisements. Rather, it allows you to change the types of advertisements you see based on your interests, age, gender and other information Google has accumulated. This means if you do turn Ad personalization off, you’ll get general advertisements and not those that may pique your interest; you may also see more advertisements in Google Search results. If you want to limit the number of ads you see, perhaps an adblocker add-on for your browser would be a better choice.

Control what others see about you

This basically is your profile, so depending on how much you’ve filled out, that’s how many options you can edit. If you’ve kept it locked down tight, then your profile may include as little as your name, and birthday (which you can hide). The option that you should focus on in this section is the Shared endorsements segment. If it is turned on, your reviews can be visible to other users to promote businesses or even be used in Google ads. It should be turned off by default – but checking to make sure doesn’t hurt.

As far as recommendations go, it is up to you to decide whether you value your privacy more or that you’re willing to make concessions for convenience’s sake. It may take a bit of fidgeting around to find the settings you’re comfortable with, but it will be well worth your time. If you forget to go through the settings every couple of months, you can also opt-in for an email reminder to review the settings every now and then. Your privacy is an issue that shouldn’t be taken lightly, and you should audit your settings in all the services you use – at least a couple of times a year.

And, now that you have done this for your main Google account, you should systematically review these settings while logged into any other Google accounts you use. Further, if you regularly browse the web while not logged into Google services, you should review these settings while not logged in, and you have to do this in every browser and on every device that you use for such activities, as these settings are tied to cookies stored in each browser, rather than to each specific account.

28 Jan 2020 – 11:30AM

Job hunting? Beware hiring scams using spoofed company websites

Cybercriminals are putting a new twist on an old trick

Scammers are combining spoofed company websites and fake job ads to trick unsuspecting job seekers into surrendering their sensitive information and paying fraudulent fees.

According to a recent public service announcement by the FBI’s Internet Crime Complaint Center (IC3), fraudsters increasingly post job openings on legitimate job boards and, in order to boost their aura of authenticity, direct people to fake domains whose names resemble those of real, reputable companies. The goal is to hoodwink job seekers into parting with their personal information that could be misused for a whole range of illicit activities, such as opening bank accounts in the victims’ names or even in getting fake documents.

Many people, duly excited about the prospect of being hired, apply on the fake websites or respond to the ads. “According to victims, cybercriminals impersonate personnel from different departments, including recruiters, talent acquisition, human resources, and department managers,” said the FBI.

After the victim is interviewed and “hired”, they will receive a fake employment contract to physically sign, and a request to provide a copy of their personal information. Usually, that consists of a copy of a driver’s license, Social Security number, direct deposit information, and credit card information. The scammers may turn it up a notch by also requesting that the victim should pay upfront for a variety of things, such as a background check or equipment. After the money is transferred, their scam concluded, they stop replying.

How to protect yourself

It is understandable that in a quest for a job we get so excited by the possibility of getting hired that we tend to overlook the warning signs of something being amiss. This is especially true if the job market is volatile and overcrowded, providing scammers with ample opportunity to trick job seekers.

You should always adhere to the golden rule “trust but verify”. Run a web search on the company you’re seeking to join to see if anything suspicious comes up, such as multiple websites. Companies usually conduct on-site interviews – conference calls take place if one of the parties is not able to appear in person. When such calls take place, they are conducted through official channels.

Another thing that you need to keep in mind is that an employer will never request your credit card information. As for the personal information you provide for salary purposes, those are requested after you’ve been officially hired, and you can provide those in person to the accounting department at the company.

Job scams have been around for years, of course. According to its 2018 Internet Crime Report victims were swindled out of US$45 million by hiring scams, an increase of US$6 million compared to the previous year. The FBI reports that the average loss per victim is around US$3,000 and a hit to their standing with their banks.

Related reading:

The perfect job? Dream on! Five signs a job offer is a scam
Simple steps to protect yourself against identity theft

27 Jan 2020 – 06:34PM

Week in security with Tony Anscombe

Zero-day in Internet Explorer – Microsoft cloud leaked big – Dating apps accused of sharing user data with advertisers

Microsoft has disclosed a vulnerability in the Internet Explorer web browser that is being actively exploited and has yet to receive a patch. More than 250 million customer service and support records were exposed by Microsoft for two days late last year. A consumer group has found that popular dating apps, including Tinder and OkCupid, share personal data about their users with advertisers. All this – and more – on WeLiveSecurity.com.

Google: Flaws in Apple’s privacy tool could enable tracking

Safari’s anti-tracking feature could apparently give access to users’ browsing habits

An anti-tracking tool baked into Apple’s Safari web browser was found to contain flaws that, if abused, could enable the very thing that the tool was designed to prevent, according to a team of Google researchers.

In a recently released report, the researchers disclosed multiple vulnerabilities in the browser’s privacy tool that could allow bad actors to take a peek at your browsing and search history.

Apple counts users’ privacy safeguards as one of the cornerstones of its business and one of its main selling points. In 2017, the company released a privacy tool for Safari, called Intelligent Tracking Prevention (ITP). The move was met with much ire from the marketing and advertising community. The tool itself limits cross-site tracking and third-party cookies, which are mostly used by online marketing companies to track users across different websites. Based on collected statistics and user interactions, ITP evaluates which cookies to limit.

In a strange twist, the paper’s authors argue that security and privacy flaws in Safari’s ITP design can have an opposite effect to its intended use. These would include the disclosure of browsing habits, as well as allow persistent cross-site tracking and even enabling cross-site information leaks.

“Any site can issue cross-site requests, increasing the number of ITP strikes for an arbitrary domain and forcing it to be added to the user’s ITP list. By checking for the side effects of ITP triggering for a given cross-site HTTP request, a website can determine whether its domain is present on the user’s ITP list; it can repeat this process and reveal ITP state for any domain. Because the ITP list implicitly stores information about the websites visited by the user, leaking its state reveals sensitive private information about the user’s browsing habits.”

The researchers, who described five different scenarios for abusing ITP’s design, submitted their findings to Apple back in December. The latter promptly acknowledged the problem and issued updates to Safari and ITP to fix it. However, Justin Schuh, Google’s director of Chrome Engineering disputed on Wednesday that the issues had been fixed.

Targeted marketing has been a thorn in users’ side for quite some time, with most usually resorting to adblockers to limit the number of ads they see. While tech firms have been developing tools such as the ITP and limiting third-party cookies but not all of them agree on the method.

24 Jan 2020 – 02:20PM

Microsoft exposed 250 million customer support records

Databases containing 14 years’ worth of customer support logs were publicly accessible with no password protection

More than 250 million customer service and support records were exposed by Microsoft over a two-day period in December 2019 due to a server misconfiguration. Since the records weren’t secured with any authentication measures, anyone with an internet connection and a browser could have accessed the data.

The same set of 250 million records was stored on five Elasticsearch servers, which were spotted by Comparitech’s security researcher Bob Diachenko and his team on December 29th. They immediately notified Microsoft, which secured the data and started an investigation within two days.

Microsoft apologized for the incident and was quick to assure users that it had detected no malicious use of the leaky servers. The tech giant has also been in the news of late for other reasons, notably a severe vulnerability in Windows and a zero-day flaw in Internet Explorer.

What data?

The records comprised logs of exchanges between Microsoft’s customer support and its customers, spanning a 14- year period from 2005 to 2019.

While most of the sensitive information that was personally identifiable, such as payment information, was redacted, there were still a lot of records that were in plain-text form. The latter included IP addresses, locations, and internal notes which were marked “confidential”, customer email addresses, descriptions of customer service support claims and cases, Microsoft support agent emails, case numbers, resolutions, and remarks.

The cause?

The investigation revealed that the culprit was a change in the database’s network security group, which contained misconfigured security rules.

Such misconfigurations are not a rare occurrence, and we recently reported on a data leak that exposed birth certificate applications. Indeed, Microsoft echoed this very sentiment in a blog addressing its customers:

“Misconfigurations are unfortunately a common error across the industry. We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database. As we’ve learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available.”

Another data leak involving a misconfigured Elasticsearch server affected nearly all of Ecuador’s population a few months ago.

23 Jan 2020 – 12:58PM